Sony USB rootkit not as bad as CD case but still serious: F-Secure

Stan Beer
Wednesday, 29 August 2007 22:04

Your IT - Home IT

Sony Corporation is in the news again over its proclivity to install hidden directories on its customers' hard drives. However, the revelation that some Sony USB memory sticks come with rootkit-like software is not quite as bad as the infamous Sony CD DRM case two years ago, according to the security company who has gone public with the story.

In a nutshell, Finnish security company F-Secure has reported to have found software with rootkit-like behaviour supplied with Sony USB sticks with a built-in fingerprint reader.

"The Sony MicroVault USM-F fingerprint reader software that comes with the USB stick installs a driver that is hiding a directory under "c:\windows\", So, when enumerating files and subdirectories in the Windows directory, the directory and files inside it are not visible through Windows API. If you know the name of the directory, it is e.g. possible to enter the hidden directory using Command Prompt and it is possible to create new hidden files," Mikko Hypponen, chief research officer at F-Secure wrote in the company blog.

"There are also ways to run files from this directory. Files in this directory are also hidden from some antivirus scanners (as with the Sony BMG DRM case) — depending on the techniques employed by the antivirus software. It is therefore technically possible for malware to use the hidden directory as a hiding place."

However, in a follow up blog posting Hypponen says the USB case is not as bad as the CD DRM case," Hypponen writes.

"The user understands that he is installing software, it's on the included CD, and has a standard method of uninstalling that software.

"The fingerprint driver does not hide its folder as "deeply" as does the XCP DRM folder. The MicroVault software probably wouldn't hide malware as effectively from (some) real-time antivirus scanners."

However, Hypponen does say it is possible to run executable malware from the hidden directory. What's more, the new rootkit which can still be downloaded from sony.net can be used by any malware author to hide any folder.

"If you simply extract one executable from the package and include it in malware, it will hide that malware's folder, no questions asked," Hypponen says.

It appears that Sony is not interested in talking about the issue with the security company that contacted the company before outing this case.

"We still haven't received any kind of response from Sony International," Hypponen writes.